New Malware.q trojan; Generic.ca trojan; Uploader-r and other viruses here, thank you

[orcascogins]

I had lost data on a hard drive and while getting programs to recover data, I got more this I need, which includes the "New Malware.q trojan; Generic.ca trojan; Uploader-r and other viruses". I have ran various antiviruses and spyware tools, but still being stubborn. Only thing I'm really need to keep is email stuff with outlook express, so all other stuff is up for cleaning.

Michael

HJT log shown below

Logfile of HijackThis v1.99.1
Scan saved at 7:02:21 PM, on 2/7/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Personal Firewall\lpfw.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\essspk.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\DOCUME~1\ORCASC~1\LOCALS~1\Temp\7.tmp.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\QUICKENW\QWDLLS.EXE
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\System32\svchost.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.neopets.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [EssSpkPhone] essspk.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [0go40rm8.dll] RUNDLL32.EXE 0go40rm8.dll,b 781654039
O4 - HKLM\..\Run: [7.tmp] C:\DOCUME~1\ORCASC~1\LOCALS~1\Temp\7.tmp.exe
O4 - HKLM\..\Run: [7.tmp.exe] C:\DOCUME~1\ORCASC~1\LOCALS~1\Temp\7.tmp.exe
O4 - HKLM\..\Run: [Personal Firewall] C:\Program Files\Lavasoft\Personal Firewall\lpfw.exe /waitservice
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [McRegWiz] c:\PROGRA~1\mcafee.com\agent\mcregwiz.exe /autorun
O4 - HKCU\..\Run: [kuim] C:\PROGRA~1\COMMON~1\kuim\kuimm.exe
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Billminder.lnk = C:\QUICKENW\BILLMIND.EXE
O4 - Global Startup: Quicken Startup.lnk = C:\QUICKENW\QWDLLS.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/sh...3/mcinsctl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1129011148417
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/v...fo/webscan.cab
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/pro...anner37470.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/sh...20/mcgdmgr.cab
O19 - User stylesheet: C:\WINDOWS\neopets.css
O20 - AppInit_DLLs: C:\PROGRA~1\Lavasoft\PERSON~1\wl_hook.dll
O23 - Service: Lavasoft Personal Firewall Service (LavasoftFirewall) - Agnitum Ltd. - C:\Program Files\Lavasoft\Personal Firewall\lpfw.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe

[Ried]

Hello orcascogins and welcome to TSF,

Please print out or copy this page to Notepad since you will not have any browsers open while you are carrying out these instructions.

Download CleanUp! (Alternate Link if main link doesn't work) and install it. Do not run it yet.

---------------------------

Go to My Computer->Tools->Folder Options->View tab:
* Under the Hidden files and folders heading:
* select Show hidden files and folders.
* Uncheck Hide protected operating system files (recommended) option.
*Also, make sure there is no checkmark beside Hide file extensions for known file types.
* Click OK.

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Use the up arrow key to highlight Safe Mode and press Enter.

---------------------------

Run a scan in HijackThis. 'Check' each of the following if they still exist (make sure not to miss any):

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O4 - HKLM\..\Run: [0go40rm8.dll] RUNDLL32.EXE 0go40rm8.dll,b 781654039
O4 - HKLM\..\Run: [7.tmp] C:\DOCUME~1\ORCASC~1\LOCALS~1\Temp\7.tmp.exe
O4 - HKLM\..\Run: [7.tmp.exe] C:\DOCUME~1\ORCASC~1\LOCALS~1\Temp\7.tmp.exe
O4 - HKCU\..\Run: [kuim] C:\PROGRA~1\COMMON~1\kuim\kuimm.exe

Click 'Fix Checked' and close HijackThis.

---------------------------

Using Windows Explorer, navigate to and delete the following Files and Folders if they still exist.

0go40rm8.dll <--Search for this via Start>Search and delete
C:\PROGRA~1\COMMON~1\ kuim

---------------------------

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows:
*Click "Options..."
*Move the arrow down to "Standard CleanUp!"
*Uncheck the following:
-Delete Newsgroup cache
-Delete Newsgroup Subscriptions
-Scan local drives for temporary files
Click OK
Press the CleanUp! button to start the program. Reboot/logoff when prompted.
Note: CleanUp! deletes EVERYTHING out of your temp/temporary folders, it does not make backups. If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp! If you have a 64 bit Operating System do NOT run Cleanup and let me know as we will use another utility

Reboot into Normal Mode.

Perform an online scan using Internet Explorer with Panda ActiveScan
** click on "Free use ActiveScan" located on the top right hand corner

1. Click Check Now & a 'pop up' window shall appear. *ensure that your pop up blocker doesn't block it
2. Enter your e-mail address, country, and state & click Scan Now ...begins downloading 8 MB Panda's ActiveX controls

Begin the scan by selecting My Computer

• If it finds any malware, it will offer you a report.
• Please ignore any entry it finds and wants you to buy the program for removal as we will address this later.
• Click on see report. Then click Save report

Please post that log in your next reply along with a new HijackThis log.

[orcascogins]

OK, done all from last post, sorry took a little longer, virusscan took forever. Ready for more...

Active Scan Log:



Incident Status Location

Adware:adware/azesearch Not disinfected C:\WINDOWS\SYSTEM32\azebar.xml
Adware:Adware/AzeSearch Not disinfected C:\WINDOWS\Downloaded Program Files\azesearch.inf
Spyware:Cookie/YieldManager Not disinfected E:\Documents and Settings\Autumn\Cookies\autumn@ad.yieldmanager[2].txt
Spyware:Cookie/Hbmediapro Not disinfected E:\Documents and Settings\Autumn\Cookies\autumn@adopt.hbmediapro[1].txt
Spyware:Cookie/Ask Not disinfected E:\Documents and Settings\Autumn\Cookies\autumn@ask[1].txt
Spyware:Cookie/nCase Not disinfected E:\Documents and Settings\Autumn\Cookies\autumn@banners.searchingbooth[1].txt
Spyware:Cookie/BurstNet Not disinfected E:\Documents and Settings\Autumn\Cookies\autumn@burstnet[2].txt
Spyware:Cookie/Com.com Not disinfected E:\Documents and Settings\Autumn\Cookies\autumn@com[2].txt
Spyware:Cookie/Belnk Not disinfected E:\Documents and Settings\Autumn\Cookies\autumn@dist.belnk[2].txt
Spyware:Cookie/go Not disinfected E:\Documents and Settings\Autumn\Cookies\autumn@go[2].txt
Spyware:Cookie/Rightmedia Not disinfected E:\Documents and Settings\Autumn\Cookies\autumn@rightmedia[2].txt
Spyware:Cookie/BurstBeacon Not disinfected E:\Documents and Settings\Autumn\Cookies\autumn@www.burstbeacon[2].txt
Spyware:Cookie/YieldManager Not disinfected E:\Documents and Settings\Christopher\Cookies\christopher@ad.yieldmanager[2].txt
Spyware:Cookie/Hbmediapro Not disinfected E:\Documents and Settings\Christopher\Cookies\christopher@adopt.hbmediapro[1].txt
Spyware:Cookie/nCase Not disinfected E:\Documents and Settings\Christopher\Cookies\christopher@banners.searchingbooth[1].txt
Spyware:Cookie/go Not disinfected E:\Documents and Settings\Christopher\Cookies\christopher@go[1].txt
Spyware:Cookie/Hbmediapro Not disinfected E:\Documents and Settings\Freddy\Cookies\freddy@adopt.hbmediapro[1].txt
Spyware:Cookie/nCase Not disinfected E:\Documents and Settings\Freddy\Cookies\freddy@banners.searchingbooth[1].txt
Spyware:Cookie/go Not disinfected E:\Documents and Settings\Freddy\Cookies\freddy@go[1].txt
Spyware:Cookie/Rightmedia Not disinfected E:\Documents and Settings\Freddy\Cookies\freddy@rightmedia[1].txt
Spyware:Cookie/YieldManager Not disinfected E:\Documents and Settings\Guest\Cookies\guest@ad.yieldmanager[2].txt
Spyware:Cookie/Hbmediapro Not disinfected E:\Documents and Settings\Guest\Cookies\guest@adopt.hbmediapro[1].txt
Spyware:Cookie/Ask Not disinfected E:\Documents and Settings\Guest\Cookies\guest@ask[1].txt
Spyware:Cookie/nCase Not disinfected E:\Documents and Settings\Guest\Cookies\guest@banners.searchingbooth[1].txt
Spyware:Cookie/Belnk Not disinfected E:\Documents and Settings\Guest\Cookies\guest@dist.belnk[2].txt
Spyware:Spyware/Apropos Not disinfected E:\Documents and Settings\Guest\Local Settings\Temp\AutoUpdate0\setup.inf
Spyware:Spyware/Apropos Not disinfected E:\Documents and Settings\Guest\Local Settings\Temp\~apropos0\WinGenerics.dll
Spyware:Cookie/Hbmediapro Not disinfected E:\Documents and Settings\Jacob\Cookies\jacob@adopt.hbmediapro[1].txt
Spyware:Cookie/nCase Not disinfected E:\Documents and Settings\Jacob\Cookies\jacob@banners.searchingbooth[1].txt
Spyware:Cookie/Errorguard Not disinfected E:\Documents and Settings\Jacob\Cookies\jacob@errorguard[2].txt
Spyware:Cookie/go Not disinfected E:\Documents and Settings\Jacob\Cookies\jacob@go[1].txt
Spyware:Cookie/Rightmedia Not disinfected E:\Documents and Settings\Jacob\Cookies\jacob@rightmedia[2].txt
Adware:Adware/Exact.BargainBuddy Not disinfected E:\Documents and Settings\Jacob\Local Settings\Temporary Internet Files\Content.IE5\Q2CQ9H1Y\adopt[1].ve
Spyware:Cookie/nCase Not disinfected E:\Documents and Settings\LocalService\Cookies\michael & shirley@banners.searchingbooth[1].txt
Adware:Adware/VirtualBouncer Not disinfected E:\WINDOWS\bundles\2504041110.exe
Adware:Adware/IPInsight Not disinfected E:\WINDOWS\inf\conscorr.inf


HJT Log:

Logfile of HijackThis v1.99.1
Scan saved at 9:01:52 AM, on 2/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Personal Firewall\lpfw.exe
C:\WINDOWS\essspk.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\QUICKENW\QWDLLS.EXE
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.neopets.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [EssSpkPhone] essspk.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [Personal Firewall] C:\Program Files\Lavasoft\Personal Firewall\lpfw.exe /waitservice
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Billminder.lnk = C:\QUICKENW\BILLMIND.EXE
O4 - Global Startup: Quicken Startup.lnk = C:\QUICKENW\QWDLLS.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/sh...3/mcinsctl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1129011148417
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/v...fo/webscan.cab
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/pro...anner37470.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/sh...20/mcgdmgr.cab
O19 - User stylesheet: C:\WINDOWS\neopets.css
O20 - AppInit_DLLs: C:\PROGRA~1\Lavasoft\PERSON~1\wl_hook.dll
O23 - Service: Lavasoft Personal Firewall Service (LavasoftFirewall) - Agnitum Ltd. - C:\Program Files\Lavasoft\Personal Firewall\lpfw.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe

[tetonbob]

You may want to print out these instructions for reference, since you will have to restart your computer during the fix.

-----------------------------------------------------

Clear your IE cookies. Start>Settings>Control Panel>Internet Options>General tab>under Temporary files, click on Delete Cookies

-----------------------------------------------------

Please download AproposFix from here:
http://swandog46.geekstogo.com/aproposfix.exe

Save it to your desktop but do NOT run it yet.

-----------------------------------------------------

Download Ewido Security Suite

• Install Ewido Security Suite
• When installing, under "Additional Options" uncheck..
  • Install background guard
  • Install scan via context menu
• Double-click the icon on Desktop to launch Ewido

You will need to update Ewido to the latest definition files.

• On the left hand side of the main screen click update.
• Then click on Start Update.

The update will start and a progress bar will show the updates being installed.
If you are having problems with the updater, you can use this link to manually update Ewido
When you have finished updating, EXIT Ewido.

-----------------------------------------------------

Run CleanUp once again, using the same settings as before.

-----------------------------------------------------


Then please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

-----------------------------------------------------


Run Ewido with it's updated definitions:(...it's important that all windows must be closed)

• Click Scanner
• Click Complete System Scan to begin scanning.
• Click OK when prompted to clean files

With the first file it prompts to clean, select the option:

• "Perform action on all infections"
• Choose clean and click OK.

Once finished, click the Save report button & save the report to your desktop

** Ewido scan would require at least an hour.

-----------------------------------------------------

Go to My Computer->Tools->Folder Options->View tab:
* Under the Hidden files and folders heading, select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Also make sure there is no checkmark beside Hide file extensions for known file types
* Click Yes to confirm and then click OK.

-----------------------------------------------------

Go to Start>Run then copy and paste, or type the following, then press Enter:

regsvr32 /u occache.dll

Delete the following Files/Folders if they exist:

C:\WINDOWS\SYSTEM32\azebar.xml
C:\WINDOWS\Downloaded Program Files\azesearch.inf
E:\WINDOWS\bundles\ 2504041110.exe
E:\WINDOWS\inf\ conscorr.inf



Go to Start>Run then copy and paste, or type the following, then press Enter:

regsvr32 occache.dll

-----------------------------------------------------


Next, please double-click aproposfix.exe and unzip it to the desktop. Open the aproposfix folder on your desktop and run RunThis.bat. Follow the prompts.

When the tool is finished, please reboot back into normal mode, and post a new HijackThis log, along with the entire contents of the log.txt file in the aproposfix folder.

-----------------------------------------------------

How is your system behaving now, please?

[orcascogins]

Do you have another link for this, I have tried many many times to dl this and it gives a dns error.

Download Ewido Security Suite
Install Ewido Security Suite
When installing, under "Additional Options" uncheck..
Install background guard
Install scan via context menu
Double-click the icon on Desktop to launch Ewido
You will need to update Ewido to the latest definition files.
On the left hand side of the main screen click update.
Then click on Start Update.
The update will start and a progress bar will show the updates being installed.
If you are having problems with the updater, you can use this link to manually update Ewido
When you have finished updating, EXIT Ewido.

[Ried]

Hi,

The link is working fine for me, try copy/paste the full address into your address bar and see if it will work. http://download.ewido.net/ewido-setup.exe

[orcascogins]

ok, finally got everything done as asked, lister below are the longs requested. Computer seems to be running good, but then again, you just had me delete some things I didn't know I had, so lets keep going please. Just to mention, When I'm finally clean, I want to change back to zonealarm instead of lavasoft, which one is better?

Logs below:

aproposfix:

Log of AproposFix v1.1

************

Running from directory:
C:\Documents and Settings\OrcaScogins\Desktop\aproposfix

************



Registry entries found:


************

No service found!

Removing hidden folder:
No folder found!

Deleting files:

Backing up files:
Done!

Removing registry entries:

REGEDIT4

Done!

Finished!


Ewido:

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 6:05:55 AM, 2/13/2006
+ Report-Checksum: C1B5F7C6

+ Scan result:

C:\WINDOWS\azesearch.bmp -> Adware.Azesearch : Cleaned with backup
E:\Documents and Settings\Autumn\Cookies\autumn@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
E:\Documents and Settings\Autumn\Cookies\autumn@ads.realcastmedia[1].txt -> TrackingCookie.Realcastmedia : Cleaned with backup
E:\Documents and Settings\Autumn\Cookies\autumn@banners.searchingbooth[1].txt -> TrackingCookie.Searchingbooth : Cleaned with backup
E:\Documents and Settings\Autumn\Cookies\autumn@burstnet[2].txt -> TrackingCookie.Burstnet : Cleaned with backup
E:\Documents and Settings\Autumn\Cookies\autumn@com[2].txt -> TrackingCookie.Com : Cleaned with backup
E:\Documents and Settings\Autumn\Cookies\autumn@hypertracker[1].txt -> TrackingCookie.Hypertracker : Cleaned with backup
E:\Documents and Settings\Autumn\Cookies\autumn@realcastmedia[1].txt -> TrackingCookie.Realcastmedia : Cleaned with backup
E:\Documents and Settings\Autumn\Cookies\autumn@www.burstbeacon[2].txt -> TrackingCookie.Burstbeacon : Cleaned with backup
E:\Documents and Settings\Christopher\Cookies\christopher@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
E:\Documents and Settings\Christopher\Cookies\christopher@ads.realcastmedia[2].txt -> TrackingCookie.Realcastmedia : Cleaned with backup
E:\Documents and Settings\Christopher\Cookies\christopher@banners.searchingbooth[1].txt -> TrackingCookie.Searchingbooth : Cleaned with backup
E:\Documents and Settings\Freddy\Cookies\freddy@ads.realcastmedia[2].txt -> TrackingCookie.Realcastmedia : Cleaned with backup
E:\Documents and Settings\Freddy\Cookies\freddy@banners.searchingbooth[1].txt -> TrackingCookie.Searchingbooth : Cleaned with backup
E:\Documents and Settings\Freddy\Cookies\freddy@hypertracker[1].txt -> TrackingCookie.Hypertracker : Cleaned with backup
E:\Documents and Settings\Freddy\Cookies\freddy@realcastmedia[2].txt -> TrackingCookie.Realcastmedia : Cleaned with backup
E:\Documents and Settings\Guest\Cookies\guest@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
E:\Documents and Settings\Guest\Cookies\guest@adopt.specificclick[2].txt -> TrackingCookie.Specificclick : Cleaned with backup
E:\Documents and Settings\Guest\Cookies\guest@ads.realcastmedia[2].txt -> TrackingCookie.Realcastmedia : Cleaned with backup
E:\Documents and Settings\Guest\Cookies\guest@banners.searchingbooth[1].txt -> TrackingCookie.Searchingbooth : Cleaned with backup
E:\Documents and Settings\Guest\Cookies\guest@hypertracker[1].txt -> TrackingCookie.Hypertracker : Cleaned with backup
E:\Documents and Settings\Guest\Cookies\guest@realcastmedia[1].txt -> TrackingCookie.Realcastmedia : Cleaned with backup
E:\Documents and Settings\Guest\Local Settings\Temp\~apropos0\WinGenerics.dll -> Adware.Apropos : Cleaned with backup
E:\Documents and Settings\Jacob\Cookies\jacob@ads.realcastmedia[2].txt -> TrackingCookie.Realcastmedia : Cleaned with backup
E:\Documents and Settings\Jacob\Cookies\jacob@banners.searchingbooth[1].txt -> TrackingCookie.Searchingbooth : Cleaned with backup
E:\Documents and Settings\Jacob\Cookies\jacob@hypertracker[1].txt -> TrackingCookie.Hypertracker : Cleaned with backup
E:\Documents and Settings\Jacob\Cookies\jacob@realcastmedia[1].txt -> TrackingCookie.Realcastmedia : Cleaned with backup
E:\Documents and Settings\LocalService\Cookies\michael & shirley@banners.searchingbooth[1].txt -> TrackingCookie.Searchingbooth : Cleaned with backup
E:\Program Files\NetMeeting\SS\ServerSide.dll -> Adware.PowerZone : Cleaned with backup


::Report End


HJT:

Logfile of HijackThis v1.99.1
Scan saved at 11:03:53 PM, on 2/13/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Lavasoft\Personal Firewall\lpfw.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\essspk.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\QUICKENW\QWDLLS.EXE
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Outlook Express\msimn.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.neopets.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [EssSpkPhone] essspk.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [Personal Firewall] C:\Program Files\Lavasoft\Personal Firewall\lpfw.exe /waitservice
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Billminder.lnk = C:\QUICKENW\BILLMIND.EXE
O4 - Global Startup: Quicken Startup.lnk = C:\QUICKENW\QWDLLS.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/sh...3/mcinsctl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1129011148417
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/v...fo/webscan.cab
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/pro...anner37470.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/sh...20/mcgdmgr.cab
O19 - User stylesheet: C:\WINDOWS\neopets.css
O20 - AppInit_DLLs: C:\PROGRA~1\Lavasoft\PERSON~1\wl_hook.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Lavasoft Personal Firewall Service (LavasoftFirewall) - Agnitum Ltd. - C:\Program Files\Lavasoft\Personal Firewall\lpfw.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe

[tetonbob]

I've not used Lavasoft's Firewall, I have used ZA. The best firewall is one that's in place, and user friendly. If you prefer ZA, you can't go wrong with it.

Well done. Your logs are clean. Any more issues? If not you should be good to go. We still have a few items to address.


Reset hidden/system files and folders

• Click Start.
• Open My Computer.
• Select the Tools menu and click Folder Options.
• Select the View tab.
• Deselect the Show hidden files and folders option.
• Select the Hide file extensions for known types option.
• Select the Hide protected operating system files option.
• Click Yes to confirm.
• Click OK.

Create a new System Restore point

• click Start >> Run - type SYSDM.CPL & press Enter
• select the System Restore Tab
• tick on the checkbox - "Turn off System Restore on all drives"
• click Apply
• then untick the same checkbox & click OK

Enable Windows Auto Update

• Go to Start>Run - type wuaucpl.cpl
• tick on the checkbox - "Keep my computer up to date"
• Under settings, choose "Automatically download the updates, and install them on the schedule that I specify".
• Click on "OK".

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programs:

• SpywareBlaster to help prevent spyware from installing in the first place.
  • Install & update SpywareBlaster with the latest definitions.
    After you have updated, click the button - enable protection for all unprotected items
• SpywareGuard to catch and block spyware before it can execute.
  
• SPYBOT - SEARCH & DESTROY
  Download and install Spybot - Search & Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with the program on a regular basis just as you would an antivirus software. A tutorial on installing & using this product can be found here
  
• AD-AWARE
  Download and install Ad-Aware. You should use this program to scan your computer on a regular basis just as you would an antivirus software in conjunction with Spybot. A tutorial on installing & using this product can be found here
  
• IE-SPYAD
  IE/Spyad places more than 4000 dubious websites and domains in the IE Restricted list. This severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
  • Download IE-SpyAD - Extract the contents to a new folder
    From within the folder, double-click install.bat
    Select Option #2 - Install the new IE-SPYAD list.
    Then return to the main menu.
    Select option #4 - Add the old porn sites domain
• MVPS HOST FILE
  The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites form serving you unsolicited advertisements. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer.
  • Download Host.zip - From within Host.zip, double click on MVPS.bat & allow it to run.
• ANTIVIRUS SOFTWARE
  It is very important that you have anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.
  
  See this link for a listing of some online antivirus scanners:
  
  Anti-Spyware Tutorial
  
  Here are two very good free Antivirus products which are available:
  
• Avast!
• AVG
  
  It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
  
• Winpatrol - Download and install the free version of Winpatrol.
  A tutorial for this product is located here:
  Using Winpatrol to protect your computer from malicious software

If you do not have a firewall, here are 4 free ones available for personal use:

• ZoneAlarm
• Avast Antivirus/Firewall
• Tiny Personal Firewall
• OutPost Firewall

In light of your recent troubles, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles

• HOW DID I GET INFECTED IN THE FIRST PLACE?
• THE ANTI-SPYWARE TUTORIAL
• MAKING INTERNET EXPLORER SAFER

Please respond to this thread one more time so we can mark this thread as resolved.

[orcascogins]

OK, all is done except installing the recommended software. I wanted to ask a few questions before I install them.

1. what is a smart drive for the HD and should I turn them on?

2. the computer still freezes every now and then, i think because of hardware and xp compatibility thing, but i'm not sure. Just wondering but it only happens every now and then

3. do i uninstall the software (ewido, aproprosfix, etc) used to clean the viruses, except for the ones recommended for maintaining a clean system

[MicroBell]

1. Yes. "Smart Drive" is a disk diagnostics and disk failure prediction software. It uses SMART techology to predict possible drive failure.

2. There's 100's of reasons why a PC may freeze. Try disabling some of your programs from starting to see if they are a cause. Check your RAM and Power Supply and make sure they are fine.

3. Yes. Uninstall what you don't need but keep the others recommended for protection and cleaning.

[orcascogins]

ok, i uninstalled panda active scan, then I dl and installed zone alarm and then uninstalled the lavasoft firewall, after uninstalling lavasoft firewall, it asked to reboot to complete the uninstallation, now it will not boot up, giving me the

"A disk read error occurred"
press ctrl+Alt+Del to restart

and it keeps going in that circle

help again please, as i didnt think i did anything wrong this time

[orcascogins]

bump.

[MicroBell]

You installed ZA while Lavasofts firewall was still in place? Try to enter safe mode and uninstall both. Sounds like you corrupted something in Windows. While in safe mode..run a disk check to make sure nothing is wrong with the hard drive as the error message sounds like that.

[orcascogins]

Yes, i installed ZA while Lavesoft's was running, didnt even think about it. Cant get to safe mode, doesn't even boot that far. I was able to run a check with PowerMax for Maxtor harddrives and it found and fixed some errors, but still wont boot any more then

Verifing DMI Pool Data.........
Boot from CD:
A disk read error occurred
Press Ctrl+Alt+Del to restart

im open to suggestions, please

[MicroBell]

You'll need to boot to the XP CD and run the recovery console. Either that...or repair XP. Since you can't enter safe mode or normal mode...your options are limited. If there is critical data on that hard drive..you can slave it to another PC....copy what you need and reinstall XP if all else fails.

[orcascogins]

sorry, i got busy with kids and things forgot to post and close this thread. Had to reload xp, but all is good now and I'm installing the programs mentioned above, thank you again for all your help,
michael